MySQL's LOAD DATA INFILE statement
Hi,
I'm incurring some problems with MySQL and SELinux, and I need help. Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64. $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld My problem is: it is only possible to use "LOAD DATA INFILE" statement if SELinux is in its permissive state. Strangely, logs below show no avc denial (all I can tell from them is Chinese tried to break into, and last line probably refers to when I added mysql user to some group I created). But statement won't work in enforcing state. Nothing gives me any tip concerning the referred MySQL statement issue. # cat /var/log/audit/audit.log | grep mysql type=USER_LOGIN msg=audit(1305401554.802:34): user pid=2229 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN msg=audit(1305401556.759:36): user pid=2229 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN msg=audit(1305404558.850:1653): user pid=3709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN msg=audit(1305404560.536:1655): user pid=3709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN msg=audit(1305404563.834:1656): user pid=3711 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN msg=audit(1305404566.207:1658): user pid=3711 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69 terminal=sshd res=failed' type=ADD_GROUP msg=audit(1322849937.081:18): user pid=1989 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="mysql" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' Firstly, where could that avc denial be in? And, well, I want to keep SELinux enforcing its policies, except for what is needed in order to make "LOAD DATA INFILE" work. So, what would be the proper way to achieve that? Marcio Barbado, Jr. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
MySQL's LOAD DATA INFILE statement
On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
> Hi, > I'm incurring some problems with MySQL and SELinux, and I need help. > > Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64. > > $ ps -eZ | grep mysqld > system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe > system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld > > My problem is: > it is only possible to use "LOAD DATA INFILE" statement if SELinux is > in its permissive state. This event may have been silently denied. To reproduce the issue and expose silent denials: run: semodule -DB reproduce the issue see if there is now an AVC denial displayed that is related to your issue run: semodule -B -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
MySQL's LOAD DATA INFILE statement
Hi Dominick, thanks for answering.
This is a really unusual situation. So far I cannot explain why but after re-enabling enforcement for more tests, statement happened to work just as it did with permissive state. I've used "semodule -DB" and reproduced issue in both states. Still no logs. Testing will continue. Regards, On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift <dominick.grift@gmail.com> wrote: > On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote: >> Hi, >> I'm incurring some problems with MySQL and SELinux, and I need help. >> >> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64. >> >> $ ps -eZ | grep mysqld >> system_u:system_r:mysqld_safe_t:s0 1321 ? * * *00:00:00 mysqld_safe >> system_u:system_r:mysqld_t:s0 * *1410 ? * * * *00:00:01 mysqld >> >> My problem is: >> it is only possible to use "LOAD DATA INFILE" statement if SELinux is >> in its permissive state. > > This event may have been silently denied. > To reproduce the issue and expose silent denials: > > run: semodule -DB > reproduce the issue > see if there is now an AVC denial displayed that is related to your > issue > run: semodule -B > > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux Marcio Barbado, Jr. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
MySQL's LOAD DATA INFILE statement
On 01/09/2012 04:39 AM, Marcio B. Jr. wrote:
Hi Dominick, thanks for answering. This is a really unusual situation. So far I cannot explain why but after re-enabling enforcement for more tests, statement happened to work just as it did with permissive state. I've used "semodule -DB" and reproduced issue in both states. Still no logs. Testing will continue. Regards, Make sure auditd is running. # service auditd status You should see AVC msgs in /var/log/audit/audit.log or you can use the ausearch tool # ausearch -m avc -ts recent Also you should use a newer version of Fedora which is supported (Fedora15+). On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift<dominick.grift@gmail.com> wrote: On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote: Hi, I'm incurring some problems with MySQL and SELinux, and I need help. Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64. $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld My problem is: it is only possible to use "LOAD DATA INFILE" statement if SELinux is in its permissive state. This event may have been silently denied. To reproduce the issue and expose silent denials: run: semodule -DB reproduce the issue see if there is now an AVC denial displayed that is related to your issue run: semodule -B -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux Marcio Barbado, Jr. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
MySQL's LOAD DATA INFILE statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 01/07/2012 12:26 AM, Marcio B. Jr. wrote: > Hi, I'm incurring some problems with MySQL and SELinux, and I need > help. > > Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64. > > $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ? > 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ? > 00:00:01 mysqld > > My problem is: it is only possible to use "LOAD DATA INFILE" > statement if SELinux is in its permissive state. > > Strangely, logs below show no avc denial (all I can tell from them > is Chinese tried to break into, and last line probably refers to > when I added mysql user to some group I created). But statement > won't work in enforcing state. Nothing gives me any tip concerning > the referred MySQL statement issue. > > # cat /var/log/audit/audit.log | grep mysql type=USER_LOGIN > msg=audit(1305401554.802:34): user pid=2229 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? > addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN > msg=audit(1305401556.759:36): user pid=2229 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? > addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN > msg=audit(1305404558.850:1653): user pid=3709 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? > addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN > msg=audit(1305404560.536:1655): user pid=3709 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? > addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN > msg=audit(1305404563.834:1656): user pid=3711 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? > addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN > msg=audit(1305404566.207:1658): user pid=3711 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=? > addr=218.241.236.69 terminal=sshd res=failed' type=ADD_GROUP > msg=audit(1322849937.081:18): user pid=1989 uid=0 auid=4294967295 > ses=4294967295 subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 > msg='op=adding group acct="mysql" exe="/usr/sbin/useradd" > hostname=? addr=? terminal=? res=success' > > Firstly, where could that avc denial be in? > > And, well, I want to keep SELinux enforcing its policies, except > for what is needed in order to make "LOAD DATA INFILE" work. > > So, what would be the proper way to achieve that? > > > Marcio Barbado, Jr. -- selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Please update to a supported OS, F15 or 16. 12 is way out of date. Nothing in your log indicates SELinux is blocking anything. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8LISQACgkQrlYvE4MpobNWuACgli4K9/DQnQ7rCrw4qblL1jty vvIAnAyQ4YEW1kbHU0j+MWCXao5ggBvR =Bbnw -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 01:15 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.